CRITICAL🇵🇱 Wersja polska

CVE-2026-21962

CVSS 10.0v3.1pub. 2026-01-20upd. 2026-02-03

Vulnerability in the Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in product of Oracle Fusion Middleware (component: Weblogic Server Proxy Plug-in for Apache HTTP Server, Weblogic Server Proxy Plug-in for IIS). Supported versions that are affected are 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Easily exploitable vulnerability allows unauthenticated attacker with network access via HTTP to compromise Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in. While the vulnerability is in Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in, attacks may significantly impact additional products (scope change). Successful attacks of this vulnerability can result in unauthorized creation, deletion or modification access to critical data or all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data as well as unauthorized access to critical data or complete access to all Oracle HTTP Server, Oracle Weblogic Server Proxy Plug-in accessible data. Note: Affected version for Weblogic Server Proxy Plug-in for IIS is 12.2.1.4.0 only. CVSS 3.1 Base Score 10.0 (Confidentiality and Integrity impacts). CVSS Vector: (CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N).

🤖 AI Analysis
How it works

The vulnerability is classified as CWE-284 (Improper Access Control) and results from improper access control in WebLogic Server Proxy Plug-in components for Apache HTTP Server and IIS. An attacker with network access via HTTP can exploit the vulnerability without authentication and without user interaction. Exploitation causes a scope change, meaning the impact extends beyond the directly attacked component and may affect other related products.

Impact

An attacker can gain unauthorized full access to read critical data or all data available to Oracle HTTP Server and WebLogic Server Proxy Plug-in, as well as unauthorized creation, modification or deletion of critical data. The vulnerability affects both confidentiality and data integrity (both CVSS indicators at HIGH level).

Mitigation & patch

Apply patches available from the vendor according to references — Oracle Critical Patch Update from January 2026 (https://www.oracle.com/security-alerts/cpujan2026.html). Due to the maximum CVSS score and lack of prerequisites on the attacker's side, the update should be performed immediately.

Who is affected

Oracle HTTP Server and Oracle WebLogic Server Proxy Plug-in in versions 12.2.1.4.0, 14.1.1.0.0 and 14.1.2.0.0. Note: for WebLogic Server Proxy Plug-in for IIS, the vulnerability affects only version 12.2.1.4.0.

Analysis generated by Claude AI (Anthropic) based on NVD data. Always verify with vendor.
CVSS Vector
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:C/C:H/I:H/A:N
  • Oracle HTTP Server

    APP
    Oracle
    12.2.1.4.014.1.1.0.014.1.2.0.0
  • Oracle Weblogic Server Proxy Plug In

    APP
    Oracle
    12.2.1.4.014.1.1.0.014.1.2.0.0
🔵
CHECK WITH VENDOR
No clear patch data available. Check vendor references.
Tags
Auth Bypass
CWE
References

Related vulnerabilities

CVE-2021-40438CRITICAL9.0⚠ KEVten sam produkt

A crafted request uri-path can cause mod_proxy to forward the request to an origin server choosen by the remot...

CVE-2020-35169CRITICAL9.1ten sam produkt

Dell BSAFE Crypto-C Micro Edition, versions before 4.1.5, and Dell BSAFE Micro Edition Suite, versions before ...

CVE-2022-22720CRITICAL9.8ten sam produkt

Apache HTTP Server 2.4.52 and earlier fails to close inbound connection when errors are encountered discarding...

CVE-2022-22721CRITICAL9.1ten sam produkt

If LimitXMLRequestBody is set to allow request bodies larger than 350MB (defaults to 1M) on 32 bit systems an ...

CVE-2022-23943CRITICAL9.8ten sam produkt

Out-of-bounds Write vulnerability in mod_sed of Apache HTTP Server allows an attacker to overwrite heap memory...